[Bug]: Cognito User Pool: cannot modify or remove schema item

[wszarmach-koia]

Terraform Core Version

1.3.7

AWS Provider Version

5.55.0

Affected Resource(s)

• aws_cognito_user_pool

Expected Behavior

It should be possible to add a custom attribute.

# aws_cognito_user_pool.pool will be updated in-place
  ~ resource "aws_cognito_user_pool" "pool" {
        id                        = "eu-north-1_9uEdNybKn"
        name                      = "tst_user_pool"
        tags                      = {}
        # (10 unchanged attributes hidden)

      + schema {
          + attribute_data_type = "String"
          + mutable             = false
          + name                = "custom:test"
          + required            = false

          + string_attribute_constraints {}
        }

        # (4 unchanged blocks hidden)
    }

After application schema should be changed and custom:test field should be added with given configuration.

Actual Behavior

  # aws_cognito_user_pool.pool will be updated in-place
  ~ resource "aws_cognito_user_pool" "pool" {
        id                        = "eu-north-1_9uEdNybKn"
        name                      = "tst_user_pool"
        tags                      = {}
        # (10 unchanged attributes hidden)

      ~ password_policy {
          - temporary_password_validity_days = 7 -> null
            # (5 unchanged attributes hidden)
        }

      - schema {
          - attribute_data_type      = "String" -> null
          - developer_only_attribute = false -> null
          - mutable                  = false -> null
          - name                     = "email" -> null
          - required                 = true -> null

          - string_attribute_constraints {
              - max_length = "2048" -> null
              - min_length = "0" -> null
            }
        }
      - schema {
          - attribute_data_type      = "String" -> null
          - developer_only_attribute = false -> null
          - mutable                  = false -> null
          - name                     = "phone" -> null
          - required                 = false -> null

          - string_attribute_constraints {}
        }
      + schema {
          + attribute_data_type = "String"
          + mutable             = false
          + name                = "custom:test"
          + required            = false

          + string_attribute_constraints {}
        }
      + schema {
          + attribute_data_type = "String"
          + mutable             = false
          + name                = "email"
          + required            = true

          + string_attribute_constraints {}
        }
      + schema {
          + attribute_data_type = "String"
          + mutable             = false
          + name                = "phone"
          + required            = false

          + string_attribute_constraints {}
        }

        # (4 unchanged blocks hidden)
    }

Once applied there is an error:

aws_cognito_user_pool.pool: Modifying... [id=eu-north-1_9uEdNybKn]
╷
│ Error: updating Cognito User Pool (eu-north-1_9uEdNybKn): cannot modify or remove schema items
│ 
│   with aws_cognito_user_pool.pool,
│   on main.tf line 1, in resource "aws_cognito_user_pool" "pool":
│    1: resource "aws_cognito_user_pool" "pool" {
│ 
╵
ERRO[0303] Terraform invocation failed in ./main] 
ERRO[0303] 1 error occurred:
        * exit status 1

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cognito_user_pool" "pool" {
  name = "tst_user_pool"

  mfa_configuration = "OFF" # todo change later to OPTIONAL

  auto_verified_attributes = ["email"]

  username_attributes = ["email"]

  password_policy {
    minimum_length    = 8
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }

  schema {
    name                = "email"
    attribute_data_type = "String"
    mutable             = false
    required            = true

    string_attribute_constraints {}
  }

  schema {
    name                = "phone"
    attribute_data_type = "String"
    mutable             = false
    required            = false

    string_attribute_constraints {}
  }
}

resource "aws_cognito_user_pool_client" "client" {
  name = "tsts_user_pool_client"

  user_pool_id = aws_cognito_user_pool.pool.id

  allowed_oauth_flows                  = ["implicit"]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_scopes                 = ["email", "openid"]

  logout_urls   = ["https://example.com"]
  callback_urls = ["https://example.com"]

  supported_identity_providers = ["COGNITO"]
}

Steps to Reproduce

1. Create terraform configuration as in Terraform Configuration Files

2. Add a custom attribute to aws_cognito_user_pool.pool:

   schema {
   name                = "custom:test"
   attribute_data_type = "String"
   mutable             = false
   required            = false
   
   string_attribute_constraints {}
   }

3. tg apply

Debug Output

No response

Panic Output

No response

Important Factoids

The ticket with this error has already been submitted: https://github.com/hashicorp/terraform-provider-aws/issues/21654.

The documentation of schema is wrong twice in the comparison to the state of the current implementation:

1. it is impossible to add a custom attribute due to this issue:

   schema - (Optional) Configuration block for the schema attributes of a user pool. Detailed below. Schema attributes from the standard attribute set only need to be specified if they are different from the default configuration. Attributes can be added, but not modified or removed. Maximum of 50 attributes.

2. according to the fix from this https://github.com/hashicorp/terraform-provider-aws/issues/21654 it should omit empty string_attribute_constraints, but the docs say:

When defining an attribute_data_type of String or Number, the respective attribute constraints configuration block (e.g string_attribute_constraints or number_attribute_constraints) is required to prevent recreation of the Terraform resource. This requirement is true for both standard (e.g., name, email) and custom schema attributes.

The fix for https://github.com/hashicorp/terraform-provider-aws/issues/21654 allowed only to reapply terraform configuration, when there are no changes to the previously applied schema.

It is also not possible to add a custom attribute from the administrative console and reapply the configuration as it wants to recreate schema attributes from scratch as in the actual behavior.

Neither does work for v5.9.0 - the fix for https://github.com/hashicorp/terraform-provider-aws/issues/21654 ticket

References

https://github.com/hashicorp/terraform-provider-aws/issues/21654

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[cstoneley-hpt]

we're also experiencing this exact problem

[bannarisoftwares]

Hi @wszarmach-koia

Add

string_attribute_constraints {
      max_length = "2048"
      min_length = "0"
    }

on each schema to avoid this issue

Example:

schema {
    name                = "scope"
    attribute_data_type = "String"
    mutable             = true
    required            = false
    string_attribute_constraints {
      max_length = "2048"
      min_length = "0"
    }
  }

When defining an attribute_data_type of String or Number, the respective attribute constraints configuration block (e.g string_attribute_constraints or number_attribute_constraints) is required to prevent recreation of the Terraform resource. This requirement is true for both standard (e.g., name, email) and custom schema attributes.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool#schema

[wszarmach-koia]

Hi @bannarisoftwares,

the suggested fix has been mentioned earlier with the following words:

The fix for https://github.com/hashicorp/terraform-provider-aws/issues/21654 allowed only to reapply terraform configuration, when there are no changes to the previously applied schema.

You still cannot modify schema or at least I couldn't with mentioned provider versions.